Computer Security 3/23/18

Similar documents
Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Public Key Cryptography

Cryptographic Systems

Cryptography MIS

Chapter 9 Public Key Cryptography. WANG YANG

Computer Security: Principles and Practice

Key Exchange. Secure Software Systems

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

EEC-484/584 Computer Networks

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Network Security Essentials

Cryptographic Concepts

Encryption Details COMP620

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Symmetric Encryption Algorithms

Cryptography and Network Security. Sixth Edition by William Stallings

CSC 474/574 Information Systems Security

Chapter 9. Public Key Cryptography, RSA And Key Management

Making and Breaking Ciphers

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Chapter 3 Block Ciphers and the Data Encryption Standard

CSE 127: Computer Security Cryptography. Kirill Levchenko

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

LECTURE 4: Cryptography

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Public Key Algorithms

Network Security Essentials Chapter 2

Public Key Algorithms

Computer and Data Security. Lecture 3 Block cipher and DES

Symmetric Cryptography. CS4264 Fall 2016

Public Key Algorithms

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

Public Key Cryptography

CS61A Lecture #39: Cryptography

EEC-682/782 Computer Networks I

Lecture 4: Symmetric Key Encryption

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Cryptography and Network Security

Cryptographic Algorithms - AES

Cryptography and Network Security

Chapter 3 Public Key Cryptography

Symmetric Cryptography. Chapter 6

Public Key Cryptography and RSA

Applied Cryptography and Computer Security CSE 664 Spring 2018

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Key Management and Distribution

Encryption. INST 346, Section 0201 April 3, 2018

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Overview. Public Key Algorithms I

Fundamentals of Cryptography

Technological foundation

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

n-bit Output Feedback

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CS669 Network Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CSC 474/574 Information Systems Security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Cryptography and Network Security

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

3 Symmetric Cryptography

CSC 474/574 Information Systems Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

CIS 4360 Secure Computer Systems Symmetric Cryptography

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Data Encryption Standard (DES)

Symmetric, Asymmetric, and One Way Technologies

Lecture 3: Symmetric Key Encryption

7. Symmetric encryption. symmetric cryptography 1

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

APNIC elearning: Cryptography Basics

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Public-key encipherment concept

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Analysis, demands, and properties of pseudorandom number generators

Lecture 6: Overview of Public-Key Cryptography and RSA

Syrvey on block ciphers

PGP: An Algorithmic Overview

Some Stuff About Crypto

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Channel Coding and Cryptography Part II: Introduction to Cryptography

Transcription:

s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks s are usually iterative ciphers The encryption process is an iteration through several round operations Input: plaintext Round 0 Round 1 Round 2, K K0 K1 K2 Rutgers University Spring 2018 Round n-1 Kn-1 Output: ciphertext 1 2 rounds Each round consists of substitutions & permutations Substitution = S-box Table lookup Input: plaintext Converts a small block of input to substitutions K0 a block of output Round 0 Changing one bit of input should permutations change approximately ½ of output bits Round 1 Permutation Round 1 Scrambles the bits in a prescribed order Round n-1 Output: ciphertext application per round Subkey per round derived from the key Can drive behavior of s-boxes May be XORed with the output of each round 3 Feistel cipher DES is a type of Feistel cipher, which is a form of a block cipher Plaintext block is split in two Round function applied to one half of the block Output of the round function is XORed with other half of the block Halves are swapped AES is not a Feistel cipher Round Left half Output left half lock of Plaintext Round function Right half Output right half subkey 4 AES (Advanced Encryption Standard) : 128-bit blocks DES used 64-bit blocks Successor to DES as a standard encryption algorithm DES: 56-bit key AES: 128, 192, or 256 bit keys AES (Advanced Encryption Standard) Iterative cipher, just like most other block ciphers Each round is a set of substitutions & permutations Variable number of rounds DES always used 16 rounds AES: 10 rounds: 128-bit key 12 rounds: 192-bit key 14 rounds: 256-bit key A subkey ( round key ) derived from the key is computed for each round DES did this too 5 6 Paul Krzyzanowski 1

Each AES Round Step 1: yte Substitution (s-boxes) Substitute 16 input bytes by looking each one up in a table (S-box) Result is a 4x4 matrix Step 2: Shift rows Each row is shifted to the left (wrapping around to the right) 1 st row not shifted; 2 nd row shifted 1 position to the left; 3 rd row shifted 2 positions; 4 th row shifted three positions Step 3: Mix columns 4 bytes in each column are transformed yte Substitution This creates a new 4x4 matrix Shift rows (permutation) Step 4: XOR round key XOR the 128 bits of the round key with Mix columns (permutation) the 16 bytes of the matrix in step 3 AES Decryption Same rounds but in reverse order XOR round key (substitution) March 23, 18, 2018 78 8 DES Disadvantages DES has been shown to have some weaknesses can be recovered using 2 47 chosen plaintexts or 2 43 known plaintexts Note that this is not a practical amount of data to get for a real attack Short block size (8 bytes = 2 8 = 64 bits) The real weakness of DES is its 56-bit key Exhaustive search requires 2 55 iterations on average 3DES solves the key size problem: we can have keys up to 168 bits. Differential & linear cryptanalysis is not effective here: the three layers of encryption use 48 rounds instead of 16 making it infeasible to reconstruct s-box activity. DES is relatively slow It was designed with hardware encryption in mind: 3DES is 3x slower than DES Still much faster than RSA public key cryptosystems! AES Advantages Larger block size: 128 bits vs 64 bits Larger & varying key sizes: 128, 192, and 256 bits 128 bits is complex enough to prevent brute-force searches No significant academic attacks beyond brute force search Resistant against linear cryptanalysis thanks to bigger S-boxes S-box = lookup table that adds non-linearity to a set of bits via transposition & flipping DES: 6-bit inputs & 4-bit outputs AES: 8-bit inputs & 8-bit outputs Typically 5-10x faster in software than 3DES 9 10 Attacks against AES Attacks have been found This does not mean that AES is insecure! ecause of the attacks: AES-128 has computational complexity of 2 126.1 (~126 bits) AES-192 has computational complexity of 2 189.7 (~189 bits) AES-256 has computational complexity of 2 254.9 (~254 bits) The security of AES can be increased by increasing the number of rounds in the algorithm However, AES-128 still has a sufficient safety margin to make exhaustive search attacks impractical Cryptographic attacks Chosen plaintext Attacker can create plaintext and see the corresponding ciphertext Known plaintext Attacker has access to both plaintext & ciphertext but doesn t get to choose the text Ciphertext-only The attacker only sees ciphertext Popular in movies but rarely practical in real life 11 12 Paul Krzyzanowski 2

Differential Cryptanalysis Examine how changes in input affect changes in output Discover where a cipher exhibits non-random behavior These properties can be used to extract the secret key Applied to block ciphers, stream ciphers, and hash functions (functions that flip & move bits vs. mathematical operations) Chosen plaintext attack is normally used Attacker must be able to choose the plaintext and see the corresponding cipher text Differential Cryptanalysis Provide plaintext with known differences See how those differences appear in the ciphertext The properties depend on the key and the s-boxes in the algorithm Do this with lots and lots of known plaintext-ciphertext sets Statistical differences, if found, may allow a key to be recovered faster than with a brute-force search You may deduce that certain keys are not worth trying 13 14 Linear Cryptanalysis Create a predictive approximation of inputs to outputs Instead of looking for differences, linear cryptanalysis attempts to come up with a linear formula (e.g., a bunch of xor operations) that connects certain input bits, output bits, and key bits with a probability higher than random Goal is to approximate the behavior of s-boxes It will not recreate the working of the cipher You just hope to find non-random behavior that gives you insight on what bits of the key might matter Works better than differential cryptanalysis for known plaintext Differential cryptanalysis works best with chosen plaintext Linear & differential cryptanalysis will rarely recover a key but may be able to reduce the number of keys that need to be searched. Not a good idea to use block ciphers directly Streams of data are broken into k-byte blocks Each block encrypted separately This is called Electronic Codebook (EC) Problems 1. Same plaintext results in identical encrypted blocks Enemy can build up a code book of plaintext/ciphertext matches 2. Attacker can add/delete/replace blocks P 0 P 1 P 2 P 3 P 4 C 0 C 1 C 2 C 3 C 4 Intruder can replace individual blocks 15 16 Cipher lock Chaining (CC) mode Random initialization vector (IV) = bunch of k random bits Non-secret: both parties need to know this Exclusive-or with first plaintext block then encrypt the block Take exclusive-or of the result with the next plaintext block c i = E K (m) c i-1 CC Observations Identical blocks of plaintext do not produce the same ciphertext Each block is a function of all previous blocks ut an attacker can still cause data corruption IV Plaintext 0 Plaintext 1 Plaintext N Ciphertext 0 Ciphertext 1 Ciphertext N lock 0 lock 1 lock N 17 18 Paul Krzyzanowski 3

lock encryption: Counter (CTR) mode Random starting counter = bunch of k random bits, just like IV Any function producing a non-repeating sequence (an incrementing number is a common function) Encrypt the counter with the key Exclusive-or result with plaintext block Counter(i) Counter(i+1) Popular symmetric algorithms AES (Advanced Encryption Standard) FIPS standard since 2002 128, 192, or 256-bit keys; operates on 128-bit blocks DES, 3DES FIPS standard since 1976 56-bit key; operates on 64-bit (8-byte) blocks Triple DES recommended since 1999 (112 or 168 bits) lowfish length from 23-448 bits; 64-bit blocks Plaintext Ciphertext Plaintext Ciphertext IDEA 128-bit keys; operates on 64-bit blocks More secure than DES but faster algorithms are available 19 20 Communicating with symmetric cryptography oth parties must agree on a secret key, K Message is encrypted, sent, decrypted at other side Distribution E K (P) D K (C) distribution must be secret otherwise messages can be decrypted users can be impersonated 21 22 explosion distribution Each pair of users needs a separate key for secure communication K A 2 users: 1 key K AC K A K C Secure key distribution is the biggest problem with symmetric cryptography Charles 4 users: 6 keys 3 users: 3 keys 100 users: 4,950 keys 1000 users: 399,500 keys 6 users: 15 keys n( n - 1) n users: keys 2 23 24 Paul Krzyzanowski 4

Public-key algorithm Two related keys. C = E K1 (P) P = D K2 (C) C = E K2 (P) P = D K1 (C ) Examples: RSA, Elliptic curve algorithms, DSS (digital signature standard) K 1 is a public key K 2 is a private key length Unlike symmetric cryptography, not every number is a valid key 3072-bit RSA = 256-bit elliptic curve = 128-bit symmetric cipher 15360-bit RSA = 521-bit elliptic curve = 256-bit symmetric cipher RSA Public Cryptography Ron Rivest, Adi Shamir, Leonard Adleman created a true public key encryption algorithm in 1977 Each user generates two keys: Private key (kept secret) Public key (can be shared with anyone) Difficulty of algorithm based on the difficulty of factoring large numbers keys are functions of a pair of large (~300 digits) prime numbers 25 26 RSA algorithm How to generate keys choose two random large prime numbers p, q Compute the product n = pq randomly choose the encryption key, e, such that: e and (p - 1)(q - 1) are relatively prime Compute a decryption key, d such that: ed = 1 mod ((p - 1) (q - 1)) d = e -1 mod ((p - 1) (q - 1)) discard p, q The security of the algorithm rests on our understanding that factoring n is extremely difficult RSA Encryption What you need: pair: e, d Agreed-upon modulus: n Encrypt: divide data into numerical blocks < n encrypt each block: c = m e mod n Decrypt: m = c d mod n 27 28 Communication with public key algorithms Communication with public key algorithms Different keys for encrypting and decrypting No need to worry about key distribution s public key: K A s public key: K ( s private key: K a ) ( s private key: K b ) E (P) D b (C) encrypt message with s public key decrypt message with s private key D a (C) E A (P) decrypt message with s private key encrypt message with s public key 29 30 Paul Krzyzanowski 5

RSA isn t good for large-scale encryption Calculations are very expensive (& key generation is slow) Common speeds: Algorithm ytes/sec AES-128-EC 148,000,000 AES-128-CC 153,000,000 AES-256-EC 114,240,000 RSA-2048 encrypt 3,800,000 RSA-2048 decrypt 96,000 AES ~1500x faster to decrypt; 40x faster to encrypt RSA is also subject to mathematical attacks Certain keys (numbers) may expose weaknesses If anyone learns your private key, they can read all your messages Diffie-Hellman Exchange distribution algorithm Allows two parties to exchange keys securely Not public key encryption ased on difficulty of computing discrete logarithms in a finite field compared with ease of calculating exponentiation Allows us to negotiate a secret common key without fear of eavesdroppers 31 32 Diffie-Hellman Exchange Diffie-Hellman exponential key exchange All arithmetic performed in a field of integers modulo some large number oth parties agree on a large prime number p and a number a < p Each party generates a public/private key pair has secret key X A sends public key Y A computes X A has secret key X sends public key Y Private key for user i: X i K = ( s public key) ( s private key) i Public key for user i: Y i = a X 33 34 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange has secret key X A has secret key X has secret key X A has secret key X sends public key Y A sends public key Y sends public key Y A sends public key Y computes computes computes computes X A K = ( s public key) ( s private key) X A K Y X A X = expanding: X A X X A = (a ) = a X X A expanding: A X X X A = (a ) = a X A X K = K K is a common key, known only to and 35 36 Paul Krzyzanowski 6

Hybrid Cryptosystems Communication with a hybrid cryptosystem Session key: randomly-generated key for one communication session Use a public key algorithm to send the session key Use a symmetric algorithm to encrypt data with the session key Pick a random session key, K E K (K) s public key: K K Public key algorithms are almost never used to encrypt messages Vulnerable to chosen plaintext attacks MUCH slower; RSA-2048 approximately 40x slower to encrypt and 1,500x slower to decrypt than AES-256 encrypt session key with s public key Now knows the secret session key, K K = D b (E (K)) decrypts K with his private key 37 38 Communication with a hybrid cryptosystem Communication with a hybrid cryptosystem s public key: K s public key: K E (K) K = D b (E (K)) E (K) K = D b (E (K)) E K (P) D K (C) E K (P) D K (C) encrypt message using a symmetric algorithm and key K decrypt message using a symmetric algorithm and key K D K (C ) E K (P ) decrypt message using a symmetric algorithm and key K encrypt message using a symmetric algorithm and key K 39 40 Forward Secrecy Suppose an attacker steals s private key Future messages can be compromised ut past messages that used the key can also be decrypted Pick a session key Encrypt it with the 's public key Security rests entirely on the secrecy of 's private key decrypts the session key If 's private key is compromised, all recorded past traffic can be decrypted Forward Secrecy Forward secrecy Compromise of long term keys does not compromise past session keys There is no one secret to steal that will compromise multiple messages Diffie-Hellman Use common key as the encryption/decryption key Or as a key to encrypt a session key Not recoverable as long as long as private keys are thrown away after each session Unlike RSA keys, Diffie Hellman makes key generation simple s must be ephemeral Client & server will generate new Diffie-Hellman parameters for each session all will be thrown away after the session Diffie-Hellman is preferred over RSA for key exchange to achieve forward secrecy generating Diffie-Hellman keys is a rapid, low-overhead process 41 42 Paul Krzyzanowski 7

Cryptographic systems: summary Symmetric ciphers ased on SP networks = substitution & permutation sequences Asymmetric ciphers public key cryptosystems ased on trapdoor functions Easy to compute in one direction; difficult to compute in the other direction without special information (the trapdoor) Hybrid cryptosystem Pick a random session key Use a public key algorithm to send Use a symmetric key algorithm to encrypt traffic back & forth exchange algorithms (more to come later) Diffie Hellman Enables secure communication Public key without knowledge of a shared secret RSA cryptography in the future ased on the difficulty of factoring products of two large primes Factoring algorithms get more efficient as numbers get larger As the ability to decrypt numbers increases, the key size must therefore grow even faster This is not sustainable (especially for embedded devices) 45 46 Elliptic Curve Cryptography Alternate approach: elliptic curves y 2 = x 3 + ax + b Using discrete numbers, pick A prime number as a maximum (modulus) A curve equation A public base point on the curve A random private key Public key is derived from the private key, the base point, and the curve To compute the private key from the public, We need an elliptic curve discrete logarithm function This is difficult and is the basis for ECC s security Catalog of elliptic curves https://en.wikipedia.org/wiki/elliptic_curve ECC vs. RSA RSA is still the most widely used public key cryptosystem Mostly due to inertia & widespread implementations Simpler implementation & faster decryption ECC offers higher security with fewer bits than RSA ECC is also faster (for key generation & encryption) and uses less memory NIST defines 15 standard curves for ECC Many implementations support only a couple (P-256, P-384) For long-term security The European Union Agency for Network and Information Security (ENISA) and the National Institute for Science & Technology (NIST) recommend: AES: 256 bit keys RSA: 15,360 bit keys ECC: 512 bit keys https://www.keylength.com/en/4/ http://https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 47 48 Quantum Computers Once (if) real quantum computers can be built, they can Crack a symmetric cipher in time proportional to the square root of the key space size: 2 n/2 Use 256-bit AES to be safe The End Factor efficiently RSA and many elliptic curve algorithms will not be secure anymore NSA called for a migration to post-quantum cryptographic algorithms but no agreement yet on what they are 49 50 Paul Krzyzanowski 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback